This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
About sabi4evr_com
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About sabi4evr_com
04-06-2022
28Posts
3Likes
0Solutions
Apr 06, 2022Last Visited
User
Activity
User
Profile
Latest posts by sabi4evr_com
| Subject | Views | Posted |
|---|---|---|
| 824 | 03-03-2022 12:08 AM | |
| 839 | 03-02-2022 11:43 PM | |
| 975 | 02-09-2022 04:07 AM | |
| 1014 | 02-09-2022 03:11 AM | |
| 4099 | 01-04-2022 11:20 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 03-03-2022 12:08 AM | |
| 1 Like | 08-19-2019 03:58 AM | |
| 1 Like | 01-12-2020 03:40 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 4 Likes | |||
| 1 Like | |||
| 1 Like | |||
| 1 Like | |||
| 1 Like |
User Badges
Community Statistics
| Member Since | 08-19-2019 03:51 AM |
| Date Last Visited | 04-06-2022 12:02 AM |
| Posts | 28 |
| Total Likes Received | 3 |
03-03-2022
12:08 AM
1 Kudo
If some one else has to follow the thread later in future, the below are the steps I have done. 1. Downgraded the new firewall to the same version as the current firewall version 2. As the device is new, you can either configure your management port to reach the internet and then download the images or download them manually from the palo alto website to upload the base image files and then the require patch file 3.The downgrade process is so simple as the upgrade process, just follow the GUI to install the image files 4. Restore the latest configuration from current unit to new one 5. Connect the cables 1 by 1 from old to new unit 6. Reboot the device and make sure its up and running But after the final restart it was noticed that the FW device is not coming online. The device is UP, can login via SSH but the login pages or the network was not up and running. No blinks for status lights or interface lights. Looking at the services, it was noticed that some cdb service was stopped. Also the auto commit was getting failed. Came to realize that this is a known issue when we are downgrading the devices from a higher to lower version. The article explains the technical reason, https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMArCAM&lang=en_US%E2%80%A9 I was able to get the device online by running the below command, which worked in my scenario. Debug management-server client disable cord while committing you will get some error, mention commit failed. I believe you have to go into the configure mode and then do a force commit. Once the commit is done, the interfaces should come up and so is network. As soon as its live update the dynamic and other updates. But this wont fix the issue, restarting the device had the same issue. The issue was properly fixed when we upgraded the firewall version from 9.0.10 to 9.1.12-h3 I believe these issues are common while downgrading and can be fixed while upgrading the PAN OS.
... View more
03-02-2022
11:43 PM
@Astardzhiev Thanks dear. I did the migration and was busy with some other tasks hence the later reply. Just curious to know about this though. " My suggestion was to export the config, convert it for 9.1 and load it to the new device. You don't need to upgrade the old one. " how to convert the configuration from 1 version to another? Any tool?
... View more
02-09-2022
04:07 AM
@Astardzhiev Hi there. Why don't you want to start using the new device with 9.1? >> I have the old unit running with full configurations on version 9.0.10. So, if want to export and import all the configurations from 1 device to another both versions should match. In my humble opinion it is better to put little more effor now by migrating the existing config to 9.1. >> Very true, i am just worried about the support. The support is expired for this unit. So, I am very sure for some reasons the device didnt booted or crashed. They wont support. It happened though. 1 of my old unit was crashed and couldn't recover, but yes the support was active and helped out at that time. My plan was to downgrade and restore the backup and then upgrade to the latest stable version.
... View more
02-09-2022
03:11 AM
Hi Fellas, Can somebody guide for the subject downgrade process? Long story, short I have received new PA units. I want go live with the new one. But the new one is sitting @ PAN OS version 9.1.11. While the old unit which is still in production is running on PAN OS 9.0.10. I know its easy to upgrade the older firewall to 9.1.11. But sadly our support with the old unit expired, if any issue occurred during the upgrade process the support team will not do the support. I was looking @ the downgrade process. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/upgrade-pan-os/downgrade-pan-os/downgrade-a-firewall-to-a-previous-feature-release.html But confused with the downgrade path. The new unit still in standby mode, not even connected to the internet. So, i have to manually download the image files and update firewall. I am confused with the downgrade path here. Can some one guide me with the downgrade path and steps? @kiwi mate, can you help me with this process?
... View more
01-04-2022
11:20 PM
Hi @Mudhireddy please share the download link or guide me how to download the same.
... View more
12-25-2021
10:13 PM
Hi @kiwi Thanks for helping out. I got the idea now. Tried but didnt worked out the way it should. But so far I am able to manage it far better than before, thanks to the solutions provided. I have noticed that you are using PA VM for testing purpose. I have only a production units here, so bit afraid to do experiments on the same. How can I download such a VM? Does it needs a license? Thanks
... View more
12-21-2021
12:49 AM
Hi @kiwi Thanks for guiding me. I am slowly learning the methods. Yes, it does work and I am sure this can help me a lot. The new list I received is to block 250 IPs. So, here is what I did. Copied the format to an excel and cloned the 250 rows and changed the IPs as required. Saved it as a .csv and pasted them in a notepad. It was noticed that format was a little odd and I did some formatting to the notepad like adjusting white spaces. Tried with 1 line and it worked. But when I tried multiple lines the CLI reported wrong formatting. But the formatting in notepad looks fine though. The below was the syntax error. admin@PA-3020# set address ADGOVCERT2021107-14 <name> <name> <Enter> Finish input admin@PA-3020# set address ADGOVCERT2021107-14ip-netmask 185.220.101.142/32 There was a missing 'space' between the 'description' and 'ip net mask'. Is there any easy way to fix the formatting issue? Other wise I have to copy and paste line by line, 250 lines in total.
... View more
12-20-2021
04:29 AM
Hi @kiwi That looks cool. I will give it a try. May I know if its possible we can add all these newly imported IPs to an address group? ie; I already have a custom address group, where I have a list of IPs whom should be blocked. So, how can we update the existing list by adding new IPs? Possible via CLI?
... View more
12-15-2021
11:06 PM
Dear all, Can some one guide me on how I can import IP address in bulk to PA FW? These days I am getting a huge number of IPs and URLs which needs to be blocked on the Firewall end. For the URLs we can do the import. But how to do the same for IPs? I tried the CLI method mentioned in this URL 'https://www.analysisman.com/2020/11/pan-import-csv.html'. But receiving the error "2021/12/16 10:22:49 error code 403: Forbidden - Returned for authentication or authorization errors including invalid key, insufficient admin access rights (keygen)". Does this have any relation to the password I am using? Yes, its does contains alpha numeric and special characters. Thanks in advance
... View more
12-15-2021
10:54 PM
Yes, it happened. The primary PA FW was crashed and we couldn't recover. We had a huge network outage, it all happened with a faulty network switch which continuously sends the topology change packets to the entire network resulting in a network loop. At some point the FW was not responding, did a reboot after the backup. It never came back, the status lights were off except the power light. Even nothing from the console port as well, no messages or boot information showed up. Luckily we had the PA OSS device. This is what we did. 1. Raised a case with the support at the highest priority 2. We powered on the OSS device and confirmed the PAN OS version 3. There was a version difference between these 2 devices 4. Downloaded the base PAN OS and the updates to match the version of PAN OSS to the live unit 5. With the help of mgmt port, updated the OS of OSS unit 6. Restored latest backup to the OSS unit 7. We did received some errors during the restoration, I believe those were some Firewall security rules, which was easy to troubleshoot 8. The support guys came into the scenario 9. For some reason, the OSS unit was not showing in device list. May be it wasn't added during the time of purchase 10. They added the unit with the SN # information 9. Downloaded the latest AV, URL, GP, Clientless VPN and other licenses from the portal and restored to the OSS unit 10. Removed the existing license information of faulty unit from the Portal 11. Assigned the license to the OSS unit and renamed the Unit to Production one 12. All services were restored 13. RMA was issued, but it took 2 weeks or so 14. The core team was unable to analyze the firewall as it was completely given up The overall process might have taken 2-3 hours. As we were doing this for the first time on working hours it was a difficult one. Having the support engineer on the right time saved us a big time or else we could have spend more hours figuring out on how to transfer the licenses.
... View more
04-17-2021
10:57 PM
Did you give a try in downloading and import the Threat license from the palo alto customer portal? If not, just give a try. Try the below methods to download the same. 1. login to customer support 2. Go to assets 3. Select devices 4. Download the Threat Prevention License I think the OSS should also have all the latest dynamic updates as well.
... View more
04-17-2021
10:49 PM
I am not sure on the below. I have never tried to import the device state to the OSS unit as I was afraid that having the same configuration on 2 devices might have some impact on the network. I don't have a test network as well, so I didn't tried. So, far I am just backing up all the device backups on a monthly basis. What I know is that during that a device failure, we will need the PA support assistance in transferring the current PA licenses to the OSS unit.
... View more
09-15-2020
03:51 AM
Dear Abdul, Am I mentioning the below in the configuration steps correctly? This is based on my idea so far. Please correct me if I am wrong. STAGE 1 1. create agg grp 2. assign interface name (ae1) 3. interface type - Layer 3 4. config- virtual router > default security zone > Internal Zone 5. IPv4 - assign the static IP for this group 6. enable LACP 7. maximum interfaces? keep it 2? as only 2 interfaces will be used for this purpose? 8. Advanced - Other info > Management Profile > Select the management profile STAGE 2 1.Configure a new interface 2. Select aggregate group - ae1 3. leave the advanced settings to the default options
... View more
- Tags:
- ll t
09-15-2020
03:21 AM
Dear Abdul, Thanks for the update. Both switches are in stack. For my case can you please guide me through step by step for this configuration. Currently port #1 is configured and is connected with Cisco core switch. This port interface type is L3. Do i need to create a similar interface configuration on port 3 for the second switch? And then proceed to the 'Add Aggregate Group'?
... View more
09-15-2020
12:36 AM
Dear Techs, Hope you all are doing fine and safe. Can some one give me an insight on how I can configure 'Aggregate Interface Group' so that I can maintain a high availability for Internet traffic with my core switch? To make it more simple. The below is my current scenario. From a single cisco core switch, up-links goes to the firewall and then to the Internet. This single core switch is now getting replaced by 2 Huawei core switches, both in active-active mode. We have tested the 1 up-link scenario to firewall and is working as expected. To maintain the high network availability. Both up-links from Huawei core switch have to be added in the aggregate group in firewall. I was following this doc https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/configure-an-aggregate-interface-group but is making me bit confused. Let’s consider I have 2 ethernet interfaces (up links from Huawei) configured on the interfaces 2 and 9. Ideally both interface configuration should be same as well. While creating an aggregate group, how we will inform palo alto that I will be using interfaces 2 and 9 as up links and these ports should be in this group?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-06-2022
12:02 AM
|
LEGAL NOTICES
Copyright 2007 - 2022 - Palo Alto Networks